VMware NSX Banks On Security

A year after launching NSX with much fanfare, VMware is targeting its network virtualization platform at customers with ample security budgets in the wake of high-profile security breaches.

A year ago at VMworld, VMware made a huge splash with the formal launch of its NSX network virtualization platform. Everyone, it seemed, was talking about NSX and its promise of transforming networking into a more automated process.

That's a tough act to follow. At this week's VMworld, VMware released an updated version of NSX, but other products -- such as EVO:RAIL -- took center stage and the NSX buzz had subsided to more of a hum. Still, NSX -- part of VMware's vision of a software-defined data center -- figured prominently in the conference, as executives touted its customer traction and security benefits while technical sessions focused on its implementation.

"The feeling around VMworld this year is different," said networking expert Tom Hollingsworth of Gestalt IT. "There's much less talk about NSX. It feels like it’s a part of the solution now instead of being the centerpiece."

He described data center security as an architectural problem, where all investment is focused on creating a hard network perimeter, which leaves a soft, unprotected interior. Attackers manage to break into the data center and then move laterally between workloads, undetected. NSX is designed to distribute security inside the data center by pushing firewall functionality to the hypervisor. VMware touts improved "micro-segmentation" capabilities with the latest version of NSX.

Security has turned out to be the top use case for NSX customers, driving about 50% of sales and topping other drivers like cost efficiency, said Martin Casado, who was recently promoted to senior vice president of the networking and security business unit at VMware. In a session, he told attendees the trend surprised him, but is a result of companies spending more on security than anything else -- other than damages caused by security breaches.

VMware said it counts more than 150 customers and a $100 million annual sales run rate with NSX. Customers include financial institutions like Umpqua Bank, service providers such as China Telecom, and retailers like Starbucks and BestBuy.

"Unequivocally, it's arrived," said Casado, who founded Nicira, which VMware acquired and used as the basis for NSX.

Andrew Lerner, a research director at Gartner, said security is a nice use case that VMware fell into. The beauty of the security use case for VMware is that there's ample enterprise budget for it, and it's an easier sell than the SDDC concept. "They've identified a tangible pain point where there's funding," he said.

With the increased focus on security due to recent high-profile breaches such as Target, companies -- especially retailers -- are interested in deploying firewalls within the data center, Lerner said. He refers to this as intra-data center firewalling rather than VMware's micro-segmentation terminology; the technology provides firewalling closer to the VM and is far cheaper than traditional firewalling approaches, he said.

Gestalt IT's Hollingsworth, who also is a Network Computing contributor, said micro-segmentation is important to many security-conscious companies.

"But the real takeaway there is that it will happen for other enterprises automatically," he added. "Think of the Apple sandbox for apps -- most people don't care about the sandbox, only that everything is more secure because of it."

VMware said NSX enables organizations to enable "follow-the-VM-security" by establishing security policies when they provision a new application. Integration with partner vendors such as Palo Alto Networks provides more fine-grained security for more sensitive data.

Mike Fratto, a principal analyst at Current Analysis, said micro-segmentation is nothing more than a feature, but is pretty compelling as a component of NSX's overall capabilities.

"The ability to easily isolate the components (tiers, layers, etc.) of an application from other applications that don't normally share resources is a desirable goal for information security administrators," he said in an email interview. "However, the controls in NSX aren't enough to really block attacks that result in the data loss, like SQL injection and other application-level attacks. For those L5-7 controls, VMware looks to partners to fill the gaps."

ACI competitionIt's still early days for NSX, as it is for Application-Centric Infrastructure (ACI) from SDN competitor Cisco, Lerner said.

"It's hard to say who's winning," he said. "The numbers are so small, and it's so early."

Cisco enjoys the advantage of being the incumbent networking vendor with a large and loyal client base, Lerner said. Networking pros are risk adverse, and ACI with its integrated software and hardware could appear more as an incremental change compared to NSX, he added.

Eric Wright, a VMware vExpert and Toronto leader of the VMware User Group (VMUG), also noted the stiff competition VMware faces with Cisco in the networking space, but said it's made progress with NSX.

However, for the platform to become viable for small and midsize businesses, it will need to be accessible and understandable, he said in an interview at VMworld. "It's getting there," he added.

But VMware's position that the physical network is just a forwarding layer is misguided, Fratto said. No matter how capable of an overlay like NSX it is, the layers need to communicate with each other for a software-defined data center to be truly optimized in a reliable manner, he said.

"Cisco and other networking vendors understand this. VMware as a company doesn't seem to, and that is an uncharacteristic mistake for VMware," he said.

Marcia Savage is the managing editor for Network Computing, and has been covering technology for 15 years. She has written and edited for CRN and spent several years covering information security for SC Magazine and TechTarget. Marcia began her journalism career in daily ... View Full Bio

Pablo, I am interested to see what they do with AirWatch long term as well. At the conference they announced they are combining the Horizon 6 VDI platform and AirWatch in a "Workspace Suite." The Workspace Suite will give mobile users access to applications through single sign-on with applications living in the VMware Workspace Portal and appearing in the AirWatch application catalog.

You can read more if you copy and paste the link below:http://blogs.vmware.com/euc/2014/08/introducing-vmware-workspace-suite.html

I am wondering how they will use AirWatch's data management and collections capabilities. That could be a great entry ino big data visibility :)

Charlie, I agree that it makes perfect sense and seems to be the direction that service providers and large enterprises will follow. BUT I also got feedback from a few veteran IT professionals that question the strategy and whether VMware truly has the best security solution, or it's just easy to get behind because they have been so succesful with virtualization. Another technology could come along and totally disrupt the market, just as virtualization did. Something to think about.

Security that monitors virtual resources, particularly the hypervisor, is likely to become the norm, not the exception, as it is now. The virtual machine itself provides a barrier to easy intrustion, and if we can safeguard its operation, security will have taken a giant step forward.

As the divide between the digital and physical technologies becomes lesser, moving more data into the datacenter and as the price of storage decreases -- it creates a high demand for datacenter resources and that these resources provide a secure environment. If the data center is not optimized to handle this demand in an efficient matter, then many things start to fall apart.

Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.